{"api_version":"1","generated_at":"2026-05-13T13:33:31+00:00","cve":"CVE-2025-38222","urls":{"html":"https://cve.report/CVE-2025-38222","api":"https://cve.report/api/cve/CVE-2025-38222.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-38222","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-38222"},"summary":{"title":"ext4: inline: fix len overflow in ext4_prepare_inline_data","description":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: inline: fix len overflow in ext4_prepare_inline_data\n\nWhen running the following code on an ext4 filesystem with inline_data\nfeature enabled, it will lead to the bug below.\n\n fd = open(\"file1\", O_RDWR | O_CREAT | O_TRUNC, 0666);\n ftruncate(fd, 30);\n pwrite(fd, \"a\", 1, (1UL << 40) + 5UL);\n\nThat happens because write_begin will succeed as when\next4_generic_write_inline_data calls ext4_prepare_inline_data, pos + len\nwill be truncated, leading to ext4_prepare_inline_data parameter to be 6\ninstead of 0x10000000006.\n\nThen, later when write_end is called, we hit:\n\n BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);\n\nat ext4_write_inline_data.\n\nFix it by using a loff_t type for the len parameter in\next4_prepare_inline_data instead of an unsigned int.\n\n[ 44.545164] ------------[ cut here ]------------\n[ 44.545530] kernel BUG at fs/ext4/inline.c:240!\n[ 44.545834] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[ 44.546172] CPU: 3 UID: 0 PID: 343 Comm: test Not tainted 6.15.0-rc2-00003-g9080916f4863 #45 PREEMPT(full) 112853fcebfdb93254270a7959841d2c6aa2c8bb\n[ 44.546523] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 44.546523] RIP: 0010:ext4_write_inline_data+0xfe/0x100\n[ 44.546523] Code: 3c 0e 48 83 c7 48 48 89 de 5b 41 5c 41 5d 41 5e 41 5f 5d e9 e4 fa 43 01 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 0f 0b <0f> 0b 0f 1f 44 00 00 55 41 57 41 56 41 55 41 54 53 48 83 ec 20 49\n[ 44.546523] RSP: 0018:ffffb342008b79a8 EFLAGS: 00010216\n[ 44.546523] RAX: 0000000000000001 RBX: ffff9329c579c000 RCX: 0000010000000006\n[ 44.546523] RDX: 000000000000003c RSI: ffffb342008b79f0 RDI: ffff9329c158e738\n[ 44.546523] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000\n[ 44.546523] R10: 00007ffffffff000 R11: ffffffff9bd0d910 R12: 0000006210000000\n[ 44.546523] R13: fffffc7e4015e700 R14: 0000010000000005 R15: ffff9329c158e738\n[ 44.546523] FS: 00007f4299934740(0000) GS:ffff932a60179000(0000) knlGS:0000000000000000\n[ 44.546523] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 44.546523] CR2: 00007f4299a1ec90 CR3: 0000000002886002 CR4: 0000000000770eb0\n[ 44.546523] PKRU: 55555554\n[ 44.546523] Call Trace:\n[ 44.546523] \n[ 44.546523] ext4_write_inline_data_end+0x126/0x2d0\n[ 44.546523] generic_perform_write+0x17e/0x270\n[ 44.546523] ext4_buffered_write_iter+0xc8/0x170\n[ 44.546523] vfs_write+0x2be/0x3e0\n[ 44.546523] __x64_sys_pwrite64+0x6d/0xc0\n[ 44.546523] do_syscall_64+0x6a/0xf0\n[ 44.546523] ? __wake_up+0x89/0xb0\n[ 44.546523] ? xas_find+0x72/0x1c0\n[ 44.546523] ? next_uptodate_folio+0x317/0x330\n[ 44.546523] ? set_pte_range+0x1a6/0x270\n[ 44.546523] ? filemap_map_pages+0x6ee/0x840\n[ 44.546523] ? ext4_setattr+0x2fa/0x750\n[ 44.546523] ? do_pte_missing+0x128/0xf70\n[ 44.546523] ? security_inode_post_setattr+0x3e/0xd0\n[ 44.546523] ? ___pte_offset_map+0x19/0x100\n[ 44.546523] ? handle_mm_fault+0x721/0xa10\n[ 44.546523] ? do_user_addr_fault+0x197/0x730\n[ 44.546523] ? do_syscall_64+0x76/0xf0\n[ 44.546523] ? arch_exit_to_user_mode_prepare+0x1e/0x60\n[ 44.546523] ? irqentry_exit_to_user_mode+0x79/0x90\n[ 44.546523] entry_SYSCALL_64_after_hwframe+0x55/0x5d\n[ 44.546523] RIP: 0033:0x7f42999c6687\n[ 44.546523] Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff\n[ 44.546523] RSP: 002b:00007ffeae4a7930 EFLAGS: 00000202 ORIG_RAX: 0000000000000012\n[ 44.546523] RAX: ffffffffffffffda RBX: 00007f4299934740 RCX: 00007f42999c6687\n[ 44.546523] RDX: 0000000000000001 RSI: 000055ea6149200f RDI: 0000000000000003\n[ 44.546523] RBP: 00007ffeae4a79a0 R08: 0000000000000000 R09: 0000000000000000\n[ 44.546523] R10: 0000010000000005 R11: 0000000000000202 R12: 0000\n---truncated---","state":"PUBLISHED","assigner":"Linux","published_at":"2025-07-04 14:15:30","updated_at":"2026-05-12 13:16:44"},"problem_types":["CWE-190"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://git.kernel.org/stable/c/cf5f319a2d8ab8238f8cf3a19463b9bff6420934","name":"https://git.kernel.org/stable/c/cf5f319a2d8ab8238f8cf3a19463b9bff6420934","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html","name":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-082556.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-082556.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/9d1d1c5bf4fc1af76be154d3afb2acdbd89ec7d8","name":"https://git.kernel.org/stable/c/9d1d1c5bf4fc1af76be154d3afb2acdbd89ec7d8","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/227cb4ca5a6502164f850d22aec3104d7888b270","name":"https://git.kernel.org/stable/c/227cb4ca5a6502164f850d22aec3104d7888b270","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/e80ee0263d88d77f2fd1927f915003a7066cbb50","name":"https://git.kernel.org/stable/c/e80ee0263d88d77f2fd1927f915003a7066cbb50","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/5766da2237e539f259aa0e5f3639ae37b44ca458","name":"https://git.kernel.org/stable/c/5766da2237e539f259aa0e5f3639ae37b44ca458","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/717414a8c083c376d4a8940a1230fe0c6ed4ee00","name":"https://git.kernel.org/stable/c/717414a8c083c376d4a8940a1230fe0c6ed4ee00","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/26e09d18599da0adc543eabd300080daaeda6869","name":"https://git.kernel.org/stable/c/26e09d18599da0adc543eabd300080daaeda6869","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","name":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/d3dfc60efd145df5324b99a244b0b05505cde29b","name":"https://git.kernel.org/stable/c/d3dfc60efd145df5324b99a244b0b05505cde29b","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-38222","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38222","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f19d5870cbf72d4cb2a8e1f749dff97af99b071e d3dfc60efd145df5324b99a244b0b05505cde29b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f19d5870cbf72d4cb2a8e1f749dff97af99b071e 717414a8c083c376d4a8940a1230fe0c6ed4ee00 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f19d5870cbf72d4cb2a8e1f749dff97af99b071e 9d1d1c5bf4fc1af76be154d3afb2acdbd89ec7d8 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f19d5870cbf72d4cb2a8e1f749dff97af99b071e cf5f319a2d8ab8238f8cf3a19463b9bff6420934 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f19d5870cbf72d4cb2a8e1f749dff97af99b071e 26e09d18599da0adc543eabd300080daaeda6869 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f19d5870cbf72d4cb2a8e1f749dff97af99b071e 5766da2237e539f259aa0e5f3639ae37b44ca458 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f19d5870cbf72d4cb2a8e1f749dff97af99b071e e80ee0263d88d77f2fd1927f915003a7066cbb50 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f19d5870cbf72d4cb2a8e1f749dff97af99b071e 227cb4ca5a6502164f850d22aec3104d7888b270 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3.8","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 3.8 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.4.295 5.4.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.239 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.186 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.142 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.95 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.35 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.15.4 6.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.16 * original_commit_for_fix","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","version":"affected V3.1.5 * custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","version":"affected V3.1.5 * custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","version":"affected V3.1.5 * custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","version":"affected V3.1.5 * custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIPLUS S7-1500 CPU 1518-4 PN/DP MFP","version":"affected V3.1.5 * custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2025","cve_id":"38222","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2025-11-03T17:35:40.178Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"}],"title":"CVE Program Container"},{"affected":[{"defaultStatus":"unknown","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"V3.1.5","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"V3.1.5","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"V3.1.5","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"V3.1.5","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIPLUS S7-1500 CPU 1518-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"V3.1.5","versionType":"custom"}]}],"providerMetadata":{"dateUpdated":"2026-05-12T12:04:40.912Z","orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP"},"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-082556.html"}],"x_adpType":"supplier"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["fs/ext4/inline.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"d3dfc60efd145df5324b99a244b0b05505cde29b","status":"affected","version":"f19d5870cbf72d4cb2a8e1f749dff97af99b071e","versionType":"git"},{"lessThan":"717414a8c083c376d4a8940a1230fe0c6ed4ee00","status":"affected","version":"f19d5870cbf72d4cb2a8e1f749dff97af99b071e","versionType":"git"},{"lessThan":"9d1d1c5bf4fc1af76be154d3afb2acdbd89ec7d8","status":"affected","version":"f19d5870cbf72d4cb2a8e1f749dff97af99b071e","versionType":"git"},{"lessThan":"cf5f319a2d8ab8238f8cf3a19463b9bff6420934","status":"affected","version":"f19d5870cbf72d4cb2a8e1f749dff97af99b071e","versionType":"git"},{"lessThan":"26e09d18599da0adc543eabd300080daaeda6869","status":"affected","version":"f19d5870cbf72d4cb2a8e1f749dff97af99b071e","versionType":"git"},{"lessThan":"5766da2237e539f259aa0e5f3639ae37b44ca458","status":"affected","version":"f19d5870cbf72d4cb2a8e1f749dff97af99b071e","versionType":"git"},{"lessThan":"e80ee0263d88d77f2fd1927f915003a7066cbb50","status":"affected","version":"f19d5870cbf72d4cb2a8e1f749dff97af99b071e","versionType":"git"},{"lessThan":"227cb4ca5a6502164f850d22aec3104d7888b270","status":"affected","version":"f19d5870cbf72d4cb2a8e1f749dff97af99b071e","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["fs/ext4/inline.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"3.8"},{"lessThan":"3.8","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.4.*","status":"unaffected","version":"5.4.295","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.239","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.186","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.142","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.95","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.35","versionType":"semver"},{"lessThanOrEqual":"6.15.*","status":"unaffected","version":"6.15.4","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"6.16","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.4.295","versionStartIncluding":"3.8","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.239","versionStartIncluding":"3.8","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.186","versionStartIncluding":"3.8","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.142","versionStartIncluding":"3.8","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.95","versionStartIncluding":"3.8","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.35","versionStartIncluding":"3.8","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.15.4","versionStartIncluding":"3.8","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.16","versionStartIncluding":"3.8","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: inline: fix len overflow in ext4_prepare_inline_data\n\nWhen running the following code on an ext4 filesystem with inline_data\nfeature enabled, it will lead to the bug below.\n\n fd = open(\"file1\", O_RDWR | O_CREAT | O_TRUNC, 0666);\n ftruncate(fd, 30);\n pwrite(fd, \"a\", 1, (1UL << 40) + 5UL);\n\nThat happens because write_begin will succeed as when\next4_generic_write_inline_data calls ext4_prepare_inline_data, pos + len\nwill be truncated, leading to ext4_prepare_inline_data parameter to be 6\ninstead of 0x10000000006.\n\nThen, later when write_end is called, we hit:\n\n BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);\n\nat ext4_write_inline_data.\n\nFix it by using a loff_t type for the len parameter in\next4_prepare_inline_data instead of an unsigned int.\n\n[ 44.545164] ------------[ cut here ]------------\n[ 44.545530] kernel BUG at fs/ext4/inline.c:240!\n[ 44.545834] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[ 44.546172] CPU: 3 UID: 0 PID: 343 Comm: test Not tainted 6.15.0-rc2-00003-g9080916f4863 #45 PREEMPT(full) 112853fcebfdb93254270a7959841d2c6aa2c8bb\n[ 44.546523] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 44.546523] RIP: 0010:ext4_write_inline_data+0xfe/0x100\n[ 44.546523] Code: 3c 0e 48 83 c7 48 48 89 de 5b 41 5c 41 5d 41 5e 41 5f 5d e9 e4 fa 43 01 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 0f 0b <0f> 0b 0f 1f 44 00 00 55 41 57 41 56 41 55 41 54 53 48 83 ec 20 49\n[ 44.546523] RSP: 0018:ffffb342008b79a8 EFLAGS: 00010216\n[ 44.546523] RAX: 0000000000000001 RBX: ffff9329c579c000 RCX: 0000010000000006\n[ 44.546523] RDX: 000000000000003c RSI: ffffb342008b79f0 RDI: ffff9329c158e738\n[ 44.546523] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000\n[ 44.546523] R10: 00007ffffffff000 R11: ffffffff9bd0d910 R12: 0000006210000000\n[ 44.546523] R13: fffffc7e4015e700 R14: 0000010000000005 R15: ffff9329c158e738\n[ 44.546523] FS: 00007f4299934740(0000) GS:ffff932a60179000(0000) knlGS:0000000000000000\n[ 44.546523] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 44.546523] CR2: 00007f4299a1ec90 CR3: 0000000002886002 CR4: 0000000000770eb0\n[ 44.546523] PKRU: 55555554\n[ 44.546523] Call Trace:\n[ 44.546523] \n[ 44.546523] ext4_write_inline_data_end+0x126/0x2d0\n[ 44.546523] generic_perform_write+0x17e/0x270\n[ 44.546523] ext4_buffered_write_iter+0xc8/0x170\n[ 44.546523] vfs_write+0x2be/0x3e0\n[ 44.546523] __x64_sys_pwrite64+0x6d/0xc0\n[ 44.546523] do_syscall_64+0x6a/0xf0\n[ 44.546523] ? __wake_up+0x89/0xb0\n[ 44.546523] ? xas_find+0x72/0x1c0\n[ 44.546523] ? next_uptodate_folio+0x317/0x330\n[ 44.546523] ? set_pte_range+0x1a6/0x270\n[ 44.546523] ? filemap_map_pages+0x6ee/0x840\n[ 44.546523] ? ext4_setattr+0x2fa/0x750\n[ 44.546523] ? do_pte_missing+0x128/0xf70\n[ 44.546523] ? security_inode_post_setattr+0x3e/0xd0\n[ 44.546523] ? ___pte_offset_map+0x19/0x100\n[ 44.546523] ? handle_mm_fault+0x721/0xa10\n[ 44.546523] ? do_user_addr_fault+0x197/0x730\n[ 44.546523] ? do_syscall_64+0x76/0xf0\n[ 44.546523] ? arch_exit_to_user_mode_prepare+0x1e/0x60\n[ 44.546523] ? irqentry_exit_to_user_mode+0x79/0x90\n[ 44.546523] entry_SYSCALL_64_after_hwframe+0x55/0x5d\n[ 44.546523] RIP: 0033:0x7f42999c6687\n[ 44.546523] Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff\n[ 44.546523] RSP: 002b:00007ffeae4a7930 EFLAGS: 00000202 ORIG_RAX: 0000000000000012\n[ 44.546523] RAX: ffffffffffffffda RBX: 00007f4299934740 RCX: 00007f42999c6687\n[ 44.546523] RDX: 0000000000000001 RSI: 000055ea6149200f RDI: 0000000000000003\n[ 44.546523] RBP: 00007ffeae4a79a0 R08: 0000000000000000 R09: 0000000000000000\n[ 44.546523] R10: 0000010000000005 R11: 0000000000000202 R12: 0000\n---truncated---"}],"providerMetadata":{"dateUpdated":"2026-05-11T21:23:35.885Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/d3dfc60efd145df5324b99a244b0b05505cde29b"},{"url":"https://git.kernel.org/stable/c/717414a8c083c376d4a8940a1230fe0c6ed4ee00"},{"url":"https://git.kernel.org/stable/c/9d1d1c5bf4fc1af76be154d3afb2acdbd89ec7d8"},{"url":"https://git.kernel.org/stable/c/cf5f319a2d8ab8238f8cf3a19463b9bff6420934"},{"url":"https://git.kernel.org/stable/c/26e09d18599da0adc543eabd300080daaeda6869"},{"url":"https://git.kernel.org/stable/c/5766da2237e539f259aa0e5f3639ae37b44ca458"},{"url":"https://git.kernel.org/stable/c/e80ee0263d88d77f2fd1927f915003a7066cbb50"},{"url":"https://git.kernel.org/stable/c/227cb4ca5a6502164f850d22aec3104d7888b270"}],"title":"ext4: inline: fix len overflow in ext4_prepare_inline_data","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2025-38222","datePublished":"2025-07-04T13:37:37.879Z","dateReserved":"2025-04-16T04:51:23.995Z","dateUpdated":"2026-05-12T12:04:40.912Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2025-07-04 14:15:30","lastModifiedDate":"2026-05-12 13:16:44","problem_types":["CWE-190"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8","versionEndExcluding":"5.4.295","matchCriteriaId":"25A1061F-208B-4EE7-9E76-15A7C1933114"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.10.239","matchCriteriaId":"C3D14F4C-A21E-465D-A928-5CCE684E2B98"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.186","matchCriteriaId":"D96F2C0D-0D4A-4658-AD34-D8A626EA422D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.142","matchCriteriaId":"459B4E94-FE0E-434D-B782-95E3A5FFC6B1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.95","matchCriteriaId":"C5E01853-7048-4D78-9479-9AEE41AC8456"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.35","matchCriteriaId":"E569FD34-0076-4428-BE17-EECCF867611C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.15.4","matchCriteriaId":"DFD174C5-1AA2-4671-BDDC-1A9FCC753655"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","matchCriteriaId":"FA6FEEC2-9F11-4643-8827-749718254FED"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"38222","Ordinal":"1","Title":"ext4: inline: fix len overflow in ext4_prepare_inline_data","CVE":"CVE-2025-38222","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"38222","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: inline: fix len overflow in ext4_prepare_inline_data\n\nWhen running the following code on an ext4 filesystem with inline_data\nfeature enabled, it will lead to the bug below.\n\n fd = open(\"file1\", O_RDWR | O_CREAT | O_TRUNC, 0666);\n ftruncate(fd, 30);\n pwrite(fd, \"a\", 1, (1UL << 40) + 5UL);\n\nThat happens because write_begin will succeed as when\next4_generic_write_inline_data calls ext4_prepare_inline_data, pos + len\nwill be truncated, leading to ext4_prepare_inline_data parameter to be 6\ninstead of 0x10000000006.\n\nThen, later when write_end is called, we hit:\n\n BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);\n\nat ext4_write_inline_data.\n\nFix it by using a loff_t type for the len parameter in\next4_prepare_inline_data instead of an unsigned int.\n\n[ 44.545164] ------------[ cut here ]------------\n[ 44.545530] kernel BUG at fs/ext4/inline.c:240!\n[ 44.545834] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[ 44.546172] CPU: 3 UID: 0 PID: 343 Comm: test Not tainted 6.15.0-rc2-00003-g9080916f4863 #45 PREEMPT(full) 112853fcebfdb93254270a7959841d2c6aa2c8bb\n[ 44.546523] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 44.546523] RIP: 0010:ext4_write_inline_data+0xfe/0x100\n[ 44.546523] Code: 3c 0e 48 83 c7 48 48 89 de 5b 41 5c 41 5d 41 5e 41 5f 5d e9 e4 fa 43 01 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 0f 0b <0f> 0b 0f 1f 44 00 00 55 41 57 41 56 41 55 41 54 53 48 83 ec 20 49\n[ 44.546523] RSP: 0018:ffffb342008b79a8 EFLAGS: 00010216\n[ 44.546523] RAX: 0000000000000001 RBX: ffff9329c579c000 RCX: 0000010000000006\n[ 44.546523] RDX: 000000000000003c RSI: ffffb342008b79f0 RDI: ffff9329c158e738\n[ 44.546523] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000\n[ 44.546523] R10: 00007ffffffff000 R11: ffffffff9bd0d910 R12: 0000006210000000\n[ 44.546523] R13: fffffc7e4015e700 R14: 0000010000000005 R15: ffff9329c158e738\n[ 44.546523] FS: 00007f4299934740(0000) GS:ffff932a60179000(0000) knlGS:0000000000000000\n[ 44.546523] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 44.546523] CR2: 00007f4299a1ec90 CR3: 0000000002886002 CR4: 0000000000770eb0\n[ 44.546523] PKRU: 55555554\n[ 44.546523] Call Trace:\n[ 44.546523] \n[ 44.546523] ext4_write_inline_data_end+0x126/0x2d0\n[ 44.546523] generic_perform_write+0x17e/0x270\n[ 44.546523] ext4_buffered_write_iter+0xc8/0x170\n[ 44.546523] vfs_write+0x2be/0x3e0\n[ 44.546523] __x64_sys_pwrite64+0x6d/0xc0\n[ 44.546523] do_syscall_64+0x6a/0xf0\n[ 44.546523] ? __wake_up+0x89/0xb0\n[ 44.546523] ? xas_find+0x72/0x1c0\n[ 44.546523] ? next_uptodate_folio+0x317/0x330\n[ 44.546523] ? set_pte_range+0x1a6/0x270\n[ 44.546523] ? filemap_map_pages+0x6ee/0x840\n[ 44.546523] ? ext4_setattr+0x2fa/0x750\n[ 44.546523] ? do_pte_missing+0x128/0xf70\n[ 44.546523] ? security_inode_post_setattr+0x3e/0xd0\n[ 44.546523] ? ___pte_offset_map+0x19/0x100\n[ 44.546523] ? handle_mm_fault+0x721/0xa10\n[ 44.546523] ? do_user_addr_fault+0x197/0x730\n[ 44.546523] ? do_syscall_64+0x76/0xf0\n[ 44.546523] ? arch_exit_to_user_mode_prepare+0x1e/0x60\n[ 44.546523] ? irqentry_exit_to_user_mode+0x79/0x90\n[ 44.546523] entry_SYSCALL_64_after_hwframe+0x55/0x5d\n[ 44.546523] RIP: 0033:0x7f42999c6687\n[ 44.546523] Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff\n[ 44.546523] RSP: 002b:00007ffeae4a7930 EFLAGS: 00000202 ORIG_RAX: 0000000000000012\n[ 44.546523] RAX: ffffffffffffffda RBX: 00007f4299934740 RCX: 00007f42999c6687\n[ 44.546523] RDX: 0000000000000001 RSI: 000055ea6149200f RDI: 0000000000000003\n[ 44.546523] RBP: 00007ffeae4a79a0 R08: 0000000000000000 R09: 0000000000000000\n[ 44.546523] R10: 0000010000000005 R11: 0000000000000202 R12: 0000\n---truncated---","Type":"Description","Title":"ext4: inline: fix len overflow in ext4_prepare_inline_data"}]}}}